Retiring a 62GB SansDisk USB and planning on making it a Ventoy stick.
I came across this in my research today searching for the ventoy installer…
It’s never “bit” me in ways I actually know about after years of use, to give the (Chinese I assume) Devs the benefit of the doubt.
Is this info concerning to anyone in any way?
Or just Arch doing it’s due diligence?
I don’t know. We trust proprietary software we don’t get to see the code to. However It is a bit bothersome they make no interactions when contacted.
this is true. all of us
Devils advocate in me thinks maybe they have 60-70 hr work weeks (we all used to) and don’t know the robust Linux Western response protocol for such endeavours (no pun etc)…but I may be too generous here
That Arch proper sees it as a red flag gets my attention
It’s a long standing, valid criticism. The discussions are documented on their github tracker and other distros have reservations too.
If one wants to go full tinfoil hat it’s the perfect attack vector to compromise a lot of systems right at installation.
Is there any indication that is the case: No. Are binary blobs questionable in general: Yes. It comes down to trust. I would consider these warnings “due diligence”.
Yeah never heard of this vector being exploited by them. due diligence I agree
There was nothing wrong with my post calling out Arch for overreacting.
FOLLOWUP:
I did re-purpose the 62GB as a Ventoy stick. I used their web install. It’s fast and easy.
Unrelated:
I am entering the DM/TM phase of my Linux journey. I’ve tasted plenty of goods and me likey.
Pinned Issue on the Github repo with the discussion: https://github.com/ventoy/Ventoy/issues/3224
The dev has started the process to compile the BLOBs from source to fix the issue, but it’s not a quick job
comment with some alternatives https://github.com/ventoy/Ventoy/issues/3224#issuecomment-4229821093
From an open source point of view blobs are bad yeah, no question
I have been and still am using Ventoy, mostly for convenience, but always with a bad feeling in my stomach about the issues mentioned in this thread.
Most, if not all, of my current systems are installed using this tool so if they are compromised and are being exploited, I am toasted.
The bit about
might contain backdoors or other malicious code
is what tripped me. That is the reason I do not use Ventoy anymore. If required i use dd to write a iso onto a usb and then boot from it. Have a look at Super Grub2, it takes much much more work though, compared to Ventoy.
this could be said about every “bin” that you install. While its possible there could be its also possible there is not. So far I haven’t really heard anything that sets off the bells. Maybe a few concerns but if you replace the name Ventoy with “XYZ” you will have the same unknown across all binarys that are downloaded and used. No one has claimed anything that would suggest they are actually engaging in malicious behavior. Ventoy has been around for a few years now so its been tested pretty thoroughly by the community. Until the Major annoucements are made to not use it I think we are putting more into it than there is. But who knows last year we found a long time maintainer who was doing shady stuff. At the end of the day it boils down to if you choose to trust it or not.
yep. Not saying that Ventoy is doing something bad or is malicious.
Though this gets me thinking. What if we had a 64GB SansDisk USB like @drunkenvicar. We partition it into five 10GB, ext4 partitions, one 10GB partition for swap. On the remaining 4GB we install GRUB 2. The five 10GB partitions can be used for SystemRescueCD, UltimateBootCD, CloneZilla, RescueZilla, RescueCat, EOS Live, etc. This can be achieved using dd. Will it work? Idally the GRUB installed in the 4GB ought to detect the various Linux distros in the 10GB etx4 partitions and give options to boot them.
Pity GRUB2 does not have ability to boot BSD based systems.
Before ventoy, I use multisystem usb. Unfortunately the project seems no longer active now.
how i wish rufus is working on linux or atlease in wine. that thing is i miss on windows for anything related to formatting a flash drive.
A good while before I fully switched from Windows to Linux Rufus had screwed the pooch. I can’t remember what I use after Rufus til Ventoy came out.
Plenty of other tools out there, I think the only time I have sought out Rufus is to write windows iso to usb
